github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #703] When using non-default shell, FireJail shouldn't throw an error if Bash is missing inside the chroot #480

New issue

Closed

opened 2026-05-05 05:56:28 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 05:56:28 -06:00

Owner

Originally created by @nuxwin on GitHub (Aug 12, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/703

We use FireJail on top of our jail builder (MakeJail) to isolate our restricted shells. We use makejail to create the chroot and then, we set the login shell to /usr/local/bin/firejail. Depending on the chroot configuration, we can have busybox inside our chroot or bash. We tells firejail to use the correct shell using the --shell option in the login.users file. For instance:

nuxwin:--chroot=/var/chroot/InstantSSH/shared_jail --quiet --dns=8.8.8.8 --dns=8.8.4.4 --name=nuxwin --noprofile --nonewprivs --ipc-namespace --rmenv=container --seccomp --shell=/bin/ash

root@srv01:/usr/local/etc/firejail# ls -la /bin/ash 
lrwxrwxrwx 1 root root 12 août  12 22:48 /bin/ash -> /bin/busybox

The problem is that if we use busybox (ASH) without copying bash inside the chroot, FireJail throws an error. This shouldn't occurs.

Thank you.

Originally created by @nuxwin on GitHub (Aug 12, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/703 We use FireJail on top of our jail builder (MakeJail) to isolate our restricted shells. We use makejail to create the chroot and then, we set the login shell to `/usr/local/bin/firejail`. Depending on the chroot configuration, we can have `busybox` inside our chroot or bash. We tells firejail to use the correct shell using the `--shell` option in the login.users file. For instance: ``` nuxwin:--chroot=/var/chroot/InstantSSH/shared_jail --quiet --dns=8.8.8.8 --dns=8.8.4.4 --name=nuxwin --noprofile --nonewprivs --ipc-namespace --rmenv=container --seccomp --shell=/bin/ash ``` ``` root@srv01:/usr/local/etc/firejail# ls -la /bin/ash lrwxrwxrwx 1 root root 12 août 12 22:48 /bin/ash -> /bin/busybox ``` The problem is that if we use busybox (ASH) without copying bash inside the chroot, FireJail throws an error. This shouldn't occurs. Thank you.

gitea-mirror

2026-05-05 05:56:28 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:56:33 -06:00

Author

Owner

@manevich commented on GitHub (Aug 12, 2016):

Can you provide more detail about error? Which version of firejail you are using?
firejail --shell=/bin/sh works for me on busybox system without /bin/bash.

@manevich commented on GitHub (Aug 12, 2016): Can you provide more detail about error? Which version of firejail you are using? `firejail --shell=/bin/sh` works for me on busybox system without `/bin/bash`.

gitea-mirror commented

2026-05-05 05:56:35 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 12, 2016):

@manevich

I used latest release:

root@srv01:/var/chroot/InstantSSH/shared_jail/etc# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled

I've created a chroot with makejail script and I've done some bind mounts as usually. I copied the busybox binary inside the chroot and created a symlink on it (/bin/ash to /bin/busybox ) inside the chroot. Then, I've set the --shell option to /bin/ash (not /bin/sh) but this should not change anything. In the chroot, I've not copied /bin/bash (expected since I want only ASH).

The problem is that when login through SSH, firejail throws an error because /bin/bash is missing inside the chroot. If I copy it, that works as expected and login shell is ASH as expected...

I'll reproduce the problem and show you the exact output in few minutes.

@nuxwin commented on GitHub (Aug 12, 2016): @manevich I used latest release: ``` root@srv01:/var/chroot/InstantSSH/shared_jail/etc# firejail --version firejail version 0.9.42~rc1 X11 support is disabled ``` I've created a chroot with makejail script and I've done some bind mounts as usually. I copied the `busybox` binary inside the chroot and created a symlink on it (/bin/ash to /bin/busybox ) inside the chroot. Then, I've set the `--shell` option to `/bin/ash` (not /bin/sh) but this should not change anything. In the chroot, I've not copied `/bin/bash` (expected since I want only ASH). The problem is that when login through SSH, firejail throws an error because `/bin/bash` is missing inside the chroot. If I copy it, that works as expected and login shell is ASH as expected... I'll reproduce the problem and show you the exact output in few minutes.

gitea-mirror commented

2026-05-05 05:56:38 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 12, 2016):

@manevich

Exact output:

nuxwin@dev:~$ ssh nuxwin@192.168.1.133
nuxwin@192.168.1.133's password: 

  ___           _              _     ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_  / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __| \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_   ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__| |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v4.1.0
Copyright (c) 2014-2016 Laurent Declercq <l.declercq@nuxwin.com>

Last login: Sat Aug 13 00:09:11 2016 from 192.168.1.100
Error: cannot find /bin/bash in chroot directory
Error: invalid chroot
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

my passwd entry for the nuxwin user is as follow:

# getent passwd nuxwin
nuxwin:x:1003:1003:Laurent Declercq,,,:/home/nuxwin:/usr/local/bin/firejail

My login.users file is as follow:

root@srv01:/var/chroot/InstantSSH/shared_jail/bin# cat /usr/local/etc/firejail/login.users 
# /etc/firejail/login.users - restricted user shell configuration
#
# Each user entry consists of a user name and firejail
# program arguments:
#
#       user name: arguments
#
# For example:
#
#       netblue:--net=none --protocol=unix
#
# The extra arguments are inserted into program command line if firejail
# was started as a login shell.

nuxwin:--chroot=/var/chroot/InstantSSH/shared_jail --name=nuxwin --shell=/bin/ash

The /bin directory of the chroot (seen from outside) is as follow:

root@srv01:/var/chroot/InstantSSH/shared_jail/bin# ls -la
total 2264
drwxrwxr-x  2 root root    4096 août  13 01:28 .
drwxr-xr-x 14 root root    4096 août  13 01:28 ..
lrwxrwxrwx  1 root root      12 août  13 01:28 ash -> /bin/busybox
-rwxr-xr-x  1 root root 1837008 févr. 18  2015 busybox
-rwxr-xr-x  1 root root  150824 mars  14  2015 cp
-rwxr-xr-x  1 root root   27080 mars  14  2015 false
-rwxr-xr-x  1 root root  196016 juil. 16  2014 nano
-rwxr-xr-x  1 root root   93096 mars   6  2015 ps
lrwxrwxrwx  1 root root       8 août  13 01:28 sh -> /bin/ash

Info about my environment:

# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled.

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:    8.5
Codename:   jessie
root@srv01:/var/chroot/InstantSSH/shared_jail/bin#

@nuxwin commented on GitHub (Aug 12, 2016): @manevich Exact output: ``` nuxwin@dev:~$ ssh nuxwin@192.168.1.133 nuxwin@192.168.1.133's password: ___ _ _ ____ ____ _ _ |_ _|_ __ ___| |_ __ _ _ __ | |_ / ___/ ___|| | | | | || '_ \/ __| __/ _` | '_ \| __| \___ \___ \| |_| | | || | | \__ \ || (_| | | | | |_ ___) |__) | _ | |___|_| |_|___/\__\__,_|_| |_|\__| |____/____/|_| |_| Welcome to your shell. If you need a specific command, get in contact with your reseller. i-MSCP InstantSSH plugin v4.1.0 Copyright (c) 2014-2016 Laurent Declercq <l.declercq@nuxwin.com> Last login: Sat Aug 13 00:09:11 2016 from 192.168.1.100 Error: cannot find /bin/bash in chroot directory Error: invalid chroot Connection to 192.168.1.133 closed. nuxwin@dev:~$ ``` my passwd entry for the `nuxwin` user is as follow: ``` # getent passwd nuxwin nuxwin:x:1003:1003:Laurent Declercq,,,:/home/nuxwin:/usr/local/bin/firejail ``` My `login.users` file is as follow: ``` root@srv01:/var/chroot/InstantSSH/shared_jail/bin# cat /usr/local/etc/firejail/login.users # /etc/firejail/login.users - restricted user shell configuration # # Each user entry consists of a user name and firejail # program arguments: # # user name: arguments # # For example: # # netblue:--net=none --protocol=unix # # The extra arguments are inserted into program command line if firejail # was started as a login shell. nuxwin:--chroot=/var/chroot/InstantSSH/shared_jail --name=nuxwin --shell=/bin/ash ``` The `/bin` directory of the chroot (seen from outside) is as follow: ``` root@srv01:/var/chroot/InstantSSH/shared_jail/bin# ls -la total 2264 drwxrwxr-x 2 root root 4096 août 13 01:28 . drwxr-xr-x 14 root root 4096 août 13 01:28 .. lrwxrwxrwx 1 root root 12 août 13 01:28 ash -> /bin/busybox -rwxr-xr-x 1 root root 1837008 févr. 18 2015 busybox -rwxr-xr-x 1 root root 150824 mars 14 2015 cp -rwxr-xr-x 1 root root 27080 mars 14 2015 false -rwxr-xr-x 1 root root 196016 juil. 16 2014 nano -rwxr-xr-x 1 root root 93096 mars 6 2015 ps lrwxrwxrwx 1 root root 8 août 13 01:28 sh -> /bin/ash ``` Info about my environment: ``` # firejail --version firejail version 0.9.42~rc1 X11 support is disabled. # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie root@srv01:/var/chroot/InstantSSH/shared_jail/bin# ```

gitea-mirror commented

2026-05-05 05:56:39 -06:00

Author

Owner

@manevich commented on GitHub (Aug 12, 2016):

Thanks, found it https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L1114
This is a bug.
Will look at it latter.

@manevich commented on GitHub (Aug 12, 2016): Thanks, found it https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L1114 This is a bug. Will look at it latter.

gitea-mirror commented

2026-05-05 05:56:41 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 12, 2016):

@manevich

Thank you so much ;)

@nuxwin commented on GitHub (Aug 12, 2016): @manevich Thank you so much ;)

gitea-mirror commented

2026-05-05 05:56:44 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 13, 2016):

Fixed on master branch, thanks for the bug.

@netblue30 commented on GitHub (Aug 13, 2016): Fixed on master branch, thanks for the bug.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#480

No description provided.

Rows
Columns